Did Dave & Buster's Get Butthurt Over Their Crappy Controls?

Earlier this week we told you Dave & Buster's gave Uncle Ernie auditors the old heave ho but we were entirely unable to find anything suspicious that might shed some light on the D&B/E&Y breakup. Could it be that Uncle Ernie was uncomfortable wiith D&B's questionable controls and made the relationship too uncomfortable to continue? We can only wildly speculate.

Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. Here is the Agreement Containing Consent Order. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards.

Dave & Buster's collects from consumers the following kinds of card information to obtain authorization for payment card purchases: credit card account number, expiration date, and an electronic security code for payment card authorization. The restaurant collects this information at in-store terminals, transfers the data to its in-store servers, and then transmits the data to a third-party credit card processing company. The FTC alleges the the hacker was successful because Dave & Buster's:

(a) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;

(b) failed to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;

(c) failed to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;

(d) failed to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and

(e) failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks.

The card issuing banks have claimed several hundred thousand dollars in fraudulent charges.